malwarewikiaorg-20200223-history
Gruel
Gruel, also known as Fakerr is a dangerous email worm that began spreading in 2003, targeting machines running Windows 98, Windows 2000, Windows ME, and Windows XP. The worm would arrive on your system as an attachment in an email claiming to be an important update from Microsoft, and is often spread through Kazaa. Initial effects When the user executes the program, it creates a program on the desktop named "Killerguate 1.03" and displays a fake error message. When the user chooses an option in the dialogue box, the worm mass-mails itself to all of your contacts, kills explorer.exe (removing the taskbar and desktop icons), opens various default settings windows, opens the CD-ROM tray, and displays a message: Then the worm copies itself with hidden attribute to the root folder of C: drive as RUNDLL32.EXE file and modifies startup keys for the following file extensions: The worm also creates/modifies several Registry entries, that do not allow system logoff, closing of Explorer, opening Task Manager, locking of workstation and changing a password. The worm tries to copy itself as 'Norton 2003 Pro.exe' file to Kazaa P2P (peer-to-peer) client's shared folder, but there's an error in that routine and such an event never happens. The worm has an additional, dangerous payload which is only used in some variant. It can delete the following files from an infected hard drive: C:\WINNT\system32\ntoskrnl.exe C:\WINNT\system32\command.com C:\WINNT\regedit.exe C:\windows\system32\ntoskrnl.exe C:\windows\system32\command.com C:\windows\regedit.exe C:\AUTOEXEC.bat C:\config.sys C:\WINNT\system32\*.exe C:\WINNT\system32\*.com C:\WINNT\system32\*.dll C:\WINNT\system32\*.ocx C:\windows\system32\*.dll C:\windows\system32\*.ocx C:\windows\system32\*.exe C:\windows\system32\*.com Also, the worm can delete all files from the following folders: C:\WINNT\system (Windows 2000) C:\windows\system (Windows 9x - XP and up) C:\WINNT\system32 (Windows 2000) C:\windows\system32 (Windows 9x - XP and up) D:\ Lasting Effects Upon restarting the computer, the full extent of the worm's destruction can be realized. It makes the C:\ drive inaccessible through explorer or My Computer, and removes the Run option from the Start Menu and Task Manager. This makes it next to impossible to remove the registry keys that the worm created. On top of this, the worm hooks all .exe, .pif, .scr and .com files to itself, much like the Hippi virus, making the computer basically unusable - The worm basically renders the Registry destroyed, and with no way of inserting any mass storage devices containing a substitute Registry file (due to Explorer being inaccessible), the only way to repair the computer (without significant knowledge in the vast-scale repair of an entire system's registry) would be to either format or replace the hard drive. Worm Behaviour The worm spreads itself in e-mails to all addresses found in the User's Outlook Express address book, using this subject, body and attachment: Subject Symantec: New serious virus found Body Norton Security Response: has detected a new virus in the Internet. For this reason we made this tool attachement, to protect your computer from this serious virus. Due to the number of submissions received from customers, Symantec Security Response has upgraded this threat to a Category 5 (Maximum ). Attachment Norton_Symantec_Tool.exe This attachment is the worm itself. Trivia *Gruel's fake error message, upon closer inspection, has numerous graphical, grammatical and spelling errors which make its fake nature immediately obvious. **'Microsoft' is in lower case. **The fake error message is thinner than a legitimate error message of its specific type. **'Windows has encountered a problem a needs to close' **'We have created an error message thet you cand send to us' **'we' will treat this report as confidential and anounymous' **'Windows X found serious error' (No error dialog box of this type mentions this phrase) Thus, this worm takes advantage of impatient users who would most likely click on the 'Send and Close' button without taking a closer look at the dialog box itself. *In some cases, Internet Explorer still functions, as seen in the end of this 'review' of Gruel by danooct1. Gallery Gruelerror.png|The fake error that gruel displays on activation Gruel.png|Gruel's payload in action Videos Category:Worm Category:Email worm Category:Win32 Category:Win32 worm